Partial Period Autocorrelations of Geometric Sequences goresky/pdf/  · PDF file Partial...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Partial Period Autocorrelations of Geometric Sequences goresky/pdf/  · PDF file Partial...

  • Partial Period Autocorrelations of Geometric Sequences∗

    Andrew Klapper† Mark Goresky‡


    For a binary pseudorandom sequence {Si} with period N , the partial period auto- correlation function AS(τ, k,D) is defined by correlating the portion of the sequence within a window of size D, and start position k, with the portion in another window of the same size but starting τ steps later in the sequence. A distribution of possible partial period autocorrelation values is obtained by allowing the start position k to vary over all possible values 0 ≤ k < N . The expectation value is proportional to the periodic autocorrelation function AS(τ). In this paper the variance in the partial period autocorrelation values is estimated for a large class of binary pseudorandom se- quences, the so-called “geometric sequences ”. An estimate is given for the minimum window size D which is needed in order to guarantee (with probability of error less than �), that a signal has been synchronized, based on measurement of a single partial period autocorrelation value.

    1 Introduction

    During the last 30 years, a number of efforts have been made at understanding partial period correlation properties of binary pseudorandom sequences. Even today, explicit results are known for only a limited collection of sequences, and these have been difficult to arrive at. (See [9] and [5] for surveys of known results up to 1985.) In this paper we formulate explicit partial period autocorrelation estimates for a large class of binary pseudorandom sequences, the so-called geometric sequences. These are obtained by starting with a linear recurrence

    ∗Parts of this work have been presented at Asiacrypt ’91, November, 1991 †Northeastern University, Boston, MA 02115 and the University of Manitoba, Winnipeg, Manitoba R3T

    2N2. Project sponsored by the National Security Agency under Grant Number MDA904-91-H-0012. The United States Government is authorized to reproduce and distribute reprints notwithstanding any copyright notation hereon.

    ‡Northeastern University, Boston, MA 02115.


  • sequence (or “linear feedback shift register sequence”) with values in a finite field GF (q), and filtering the output through a nonlinear “feedforward function” f : GF (q) → GF (2) which takes binary values. This large class of pseudorandom sequences includes m-sequences [3], GMW sequences [4, 17], Bent sequences [15, 18], cascaded GMW sequences [7], the Chan- Games stream cipher [1] and many others. Because they are readily generated using shift register hardware, may have enormous linear span ([7], [1], [16]), and optimally low periodic autocorrelation values ([7]), the geometric sequences are natural candidates for use in secure spread spectrum applications. Knowledge of their partial period correlation properties is desired for demodulation, synchronization, and evaluation of their cryptographic security (see [16] , [18], and [1] ).

    It is well known ([18], [9]) that the expected value of the partial period autocorrelation values for a periodic sequence is proportional to the periodic autocorrelation values, which have recently been computed for geometric sequences in general [2]. Thus, if the geometric sequence is chosen so as to have low periodic autocorrelation, the same will be true for the averaged partial period autocorrelation values. However, this information is of little value without further knowledge of the spread of possible values of the partial period autocorre- lations. In this paper we compute the expected value and the variance (or second moment) of these partial period values, in a manner analogous to that of [18], where the case of m- sequences was studied. We will show that, for geometric sequences, the variance in partial period autocorrelation values is very small, by giving an estimate on the variance which does not involve any knowledge of the parameters in the feedforward function f .

    If {S1,S2, . . .} is a periodic binary pseudorandom sequence, a partial period autocorre- lation value is obtained by correlating the portion of the sequence which appears within a “window” of size D, which starts at position k, with the portion of the sequence appearing in another window of the same size, but shifted τ steps later in the sequence. In this paper, “expectation values” are obtained by averaging these values over all possible start positions k. Several authors who have studied similar questions average these correlation values over all possible start positions and all possible shifts τ . The double averaging results in a some- what easier expression to evaluate but the resulting information may be less valuable than that which is derived here.

    The authors would like to thank Agnes Chan for indicating to us the importance of these questions and W. Casselman for useful conversations.

    2 Geometric Sequences and Correlations

    In this section we recall the definition of geometric sequences and some of their basic prop- erties, and the definition of full and partial period autocorrelation functions of periodic sequences. Geometric sequences are based on algebra over finite fields, and we recall first


  • some of the basic concepts we will use. See Lidl and Niederreiter’s or McEliece’s book [11, 12] for a more detailed treatment of finite fields.

    Let q be a fixed power of a prime number, and let GF (q) denote the Galois field with q elements. We consider this to be a “base” field. For any n ≥ 1, we denote the trace function from GF (qn) to GF (q) by Trq


    q , defined by Tr qn

    q (x) = ∑n−1

    i=0 x qi. Then Trq


    q is a GF (q)-linear function, and every GF (q)-linear function f from GF (qn) to GF (q) can be written in the form f(x) = Trq


    q (Ax), for some A ∈ GF (qn). For any m ≥ 1 we have, Trq


    q (x) = Tr qn

    q (Tr qnm

    qn (x)). Let α be a primitive element of GF (qn). This means that every nonzero element of

    GF (qn) is some power of α. The infinite periodic sequence U whose ith term is Ui = Trq


    q (α i) ∈ GF (q) is known as an m-sequence over GF (q) of span n [11]. (The familiar case

    of a binary m-sequence is obtained by taking q = 2.) We may also consider the sequence whose ith term is Trq


    q (Aα i) for some fixed element A of GF (qn). This amounts to a cyclic

    shift of the first sequence, so we do not consider it to be a distinct sequence here. Note, however, that changing the primitive element α may result in a completely different m- sequence. It is well known that every m-sequence can be generated by a “linear recurrence”, or a linear feedback shift register of length n over GF (q). It has period qn−1, the maximum possible period for a sequence generated by a linear feedback shift register of length n over GF (q). Moreover, every maximal period linear recurrence sequence is (a shift of) an m- sequence [11] pp. 394-410.

    Throughout this paper we fix a prime power q, an integer n, a primitive element α ∈ GF (qn), and a (possibly nonlinear) “feedforward function” f : GF (q) → GF (2).

    Definition 1 (Chan and Games [1]) The binary sequence S whose ith term is

    Si = f(Tr qn

    q (α i)).

    is the geometric sequence based on the primitive element α and feedforward function f .

    Such a geometric sequence is a binary periodic sequence whose period divides qn−1. Geo- metric sequences with q even have been suggested for use in spread spectrum communication systems, due to their (in some cases) optimal autocorrelations, excellent cross-correlation values, and relatively high linear complexities. Geometric sequences with q odd have been used in applications where easily generated sequences with large linear complexities are needed. The geometric sequence S is easy to generate if the feedforward function f is easy to compute.

    Definition 2 The periodic autocorrelation function AS(τ) of S is the function whose value at τ is the correlation of the τ -shift of S with itself.


  • AS(τ) = qn−1∑ i=1

    (−1)Si+τ (−1)Si

    We next recall a result due to Chan, Goresky, and Klapper [2] regarding the autocor- relation of a geometric sequence. We use the following notation: F (x) = (−1)f(x) (for x ∈ GF (q)), I(f) = ∑x∈GF (q) F (x), the imbalance1 of f , and ∆a(f) = ∑x∈GF (q) F (ax)F (x), the short autocorrelation function2 of f . Set ν = (qn − 1)/(q− 1). Then ατ ∈ GF (qn) lies in the subfield GF (q) ⇐⇒ τ is a multiple of ν. Theorem 1 The values for the periodic autocorrelation (with shift τ �= 0) of the geometric sequence S are:

    1. AS(τ) = qn−2I(f)2 − 1, if τ is not a multiple of ν. 2. AS(τ) = qn−1∆ατ (f) − 1, if ν divides τ .

    Corollary 1 Assume the geometric sequence S is as balanced as possible, i.e. I(f) = ±1 if q is odd, and I(f) = 0 if q is even. Then for a shift τ that is not a multiple of ν, the periodic autocorrelation of S is

    AS(τ) = qn−2 − 1 if q is odd, and

    AS(τ) = −1 if q is even. Furthermore, for q even it is possible to choose f so that ∆ατ (f) = 0 when τ �= 0 and ν|τ [7]. For such an f , AS(τ) = −1 whenever τ �= 0.

    Thus, if q is odd, the autocorrelations are high. This fact, together with the submaximal linear complexity, has been exploited in a cryptologic attack on geometric sequences – the high autocorrelation is used to determine q with high probability [8]. In fact, a more powerful attack can be launched using imbalance properties of these sequences [6]. When q is even, the feedforward function f can be chosen to be balanced, a